BibTeX

Abstract

In this work, we explore the ecosystem of commercial pay-per-install (PPI) and the
role it plays in the proliferation of unwanted software. Commercial PPI enables
companies to bundle their applications with more popular software in return for a
fee, effectively commoditizing access to user devices. We develop an analysis
pipeline to track the business relationships underpinning four of the largest
commercial PPI networks and classify the software families bundled. In turn, we
measure their impact on end users and enumerate the distribution techniques
involved. We find that unwanted ad injectors, browser settings hijackers, and
cleanup utilities dominate the software families buying installs. Developers of
these families pay $0.10--$1.50 per install---upfront costs that they recuperate by
monetizing users without their consent or by charging exorbitant subscription fees.
Based on Google Safe Browsing telemetry, we estimate that PPI networks drive over
60 million download attempts every week---nearly three times that of malware. While
anti-virus and browsers have rolled out defenses to protect users from unwanted
software, we find evidence that PPI networks actively interfere with or evade
detection. Our results illustrate the deceptive practices of some commercial PPI
operators that persist today.